spnow · March 16, 2017 21:06
diff --git a/col_solve.py b/col_solve.py
 from angr import Project, surveyors
 from sys import exit
 import claripy


 '''vars
 pstr: where the dynamic input will be stored in the state
 phcode: the address of hash to collide with (the program loads the correct hash from this address)
 find: the address we want the path explorer to find (the "you win" address)
 retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return
 avoid: the "you fail" address we should avoid
 correct: the hash to collide with
 '''
 pstr = 0x800000
 phcode = 0x0804a020
 find = 0x0804856e
 retn = 0x08048564
 avoid = 0x08048581
 correct = 0x21dd09ec

 # project and state initialization
 p = Project("./col")
 istate = p.factory.blank_state(addr=0x8048494)

 # setup our dynamic variable, constrain length to 20, content to ascii, len+1 to null
 c = istate.memory.load(pstr, 20)
 for i in c.chop(8):
    istate.add_constraints(i != 0)
    istate.add_constraints(i >= ' ')
    istate.add_constraints(i <= '~')
 z = istate.memory.load(pstr + 20, 1)
 istate.add_constraints(z == 0)

 # setup hashcode state
 hc = istate.memory.store(phcode, claripy.BVV(correct, 32), endness='Iend_LE')

 # setup stack for action
 istate.stack_push(istate.se.BVV(pstr, 32))
 istate.stack_push(retn)

 # setup initial path
 ipath = p.factory.path(state=istate)

 # find the path
 ex = surveyors.Explorer(p, start=ipath, find=(find,), avoid=(avoid,), enable_veritesting=True)
 print "Running..."
 r = ex.run()

 # extract the found state if all goes well
 if r.found:
    print("We did it reddit!")
    fstate = r.found[0].state
 else:
    print("Better luck next time...")
    exit(1)

 # solve and print
 ans = fstate.se.any_str(fstate.memory.load(pstr, 20))
 print ans
	from angr import Project, surveyors
	from sys import exit
	import claripy


	'''vars
	pstr: where the dynamic input will be stored in the state
	phcode: the address of hash to collide with (the program loads the correct hash from this address)
	find: the address we want the path explorer to find (the "you win" address)
	retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return
	avoid: the "you fail" address we should avoid
	correct: the hash to collide with
	'''
	pstr = 0x800000
	phcode = 0x0804a020
	find = 0x0804856e
	retn = 0x08048564
	avoid = 0x08048581
	correct = 0x21dd09ec

	# project and state initialization
	p = Project("./col")
	istate = p.factory.blank_state(addr=0x8048494)

	# setup our dynamic variable, constrain length to 20, content to ascii, len+1 to null
	c = istate.memory.load(pstr, 20)
	for i in c.chop(8):
	istate.add_constraints(i != 0)
	istate.add_constraints(i >= ' ')
	istate.add_constraints(i <= '~')
	z = istate.memory.load(pstr + 20, 1)
	istate.add_constraints(z == 0)

	# setup hashcode state
	hc = istate.memory.store(phcode, claripy.BVV(correct, 32), endness='Iend_LE')

	# setup stack for action
	istate.stack_push(istate.se.BVV(pstr, 32))
	istate.stack_push(retn)

	# setup initial path
	ipath = p.factory.path(state=istate)

	# find the path
	ex = surveyors.Explorer(p, start=ipath, find=(find,), avoid=(avoid,), enable_veritesting=True)
	print "Running..."
	r = ex.run()

	# extract the found state if all goes well
	if r.found:
	print("We did it reddit!")
	fstate = r.found[0].state
	else:
	print("Better luck next time...")
	exit(1)

	# solve and print
	ans = fstate.se.any_str(fstate.memory.load(pstr, 20))
	print ans